The Windows PowerShell scripting tool is being increasingly used by malicious actors not only for data theft, but also for ransomware attacks, researchers have warned.
Windows PowerShell is a task-based command line shell and scripting language that enables IT teams to control and automate the administration of the operating system and applications. Built on the .NET Framework, the tool is available for all current versions of Windows, and it has been included by default starting with Windows 7.
Experts believe cybercriminals are increasingly relying on PowerShell because this is not a common technique and IT administrators who are usually on the lookout for malicious binaries might overlook threats that abuse the scripting tool.
In late March 2014, Trend Micro came across a new malware family, which they dubbed CRIGENT (Power Worm). Distributed as Word or Excel documents, CRIGENT relies on PowerShell to retrieve system information from the infected device and infect other Word and Excel files stored on the affected computer.
In May, Trend Micro researchers identified a new attack leveraging PowerShell. The threat had been distributed with the aid of emails purporting to come from Duo Wei Times, a US-based Chinese newspaper.
In this case, PowerShell has been used to download files and bypass execution policies. First, potential victims are served a shortcut (.lnk) file, detected by Trend Micro as LNK_PRESHIN.JTT, containing PowerShell commands in its properties. When executed, LNK_PRESHIN.JTT downloads another PowerShell scripting file, TROJ_PRESHIN.JTT, which in turn downloads and executed the final payload, BKDR_PRESHIN.JTT.
In a blog post published on Sunday, Trend Micro detailed a piece of ransomware, TROJ_POSHCODER.A, which uses PowerShell to encrypt files. POSHCODER, which appears to target Internet users in the United States, uses AES to encrypt the files, and RSA 4096 bit encryption to exchange the AES key.
This is not the first time experts have indentified a piece of ransomware using PowerShell. Back in early March, researchers from Sophos warned of Russian ransomware that used Windows PowerShell to perform file encryption with “Rijndael symmetric key encryption.” At the time, experts discovered that the encryption keys could be easily obtained with the aid of PowerShell.
